Slashdot Mirror
FBI: Massive MS Exploits Over Last Year
Wanker writes "An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the
SANS security site."
Says SANS, "The FBI and Secret Service are taking the unprecedented step of releasing detailed forensic information from ongoing investigations" of the IIS, MS SQL Server and Windows NT breakins. We don't normally post news about exploits, but the scale here is massive: more than a million credit cards have been taken in a blackmail-extortion operation that has been going on for a year. Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...
Update: 03/09 03:37 AM GMT by J : Microsoft says,
Don't Be A Victim!.
If you are an NT admin or know someone who is, note especially:
"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems...
"The Center's tools are normally available only to members, but because of the importance of this problem, the Center agreed to make the new tool, built for the Center by Steve Gibson of Gibson Research) available to all who need it."
1337!
Instead of a S-kiddie, you'll be an MS-kiddie!
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
The two kernel monte still reboots, it just doesn't require a reset. All kernel statistics get reset when you do a two kernel monte.
If you need web hosting, you could do worse than here
Quake III Arena...
"What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS"
Why not use a proxy to trap this? It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com (hopefully cacheable). Of course, non-IIS servers can have holes too, so it would be useful to generalise this to look up against server-auditing services (if there are any that can be trusted).
Hmm.. the kernel notes lists quite a few security patches to the kernels over the last 1-2 years. Many of them are DoS attacks, but that's still something that should be applied.
If you need web hosting, you could do worse than here
These kind of exploits are nothing new, neither are incapable sys-admins and Eastereuropean scriptkiddies
(think about why they are allways declared Easterneuropean, btw!),
Yeah, I like to buy stuff on the internet and loads of it, if my bank-account allows me!
But I hate to cancel my creditcard every few months (that is: say it's lost and ask a new one free),
because I DON'T like to put that kind of information in other sysadmins hands!
What the hell are they thinking, keeping this creditcard information in their databases, that should be illegal!
If they insist on keeping it, perhaps they should keep it on a secure server, that means NO internet connection people, and put the damn thing in a safe too, for godsakes, that's were some SANE people store their creditcards if they don't need to use them!
So I'm still waiting for the day that I go to my bank and they will give my a small calculator and a list of numbers I can use only use once, then I use my calculator and generate a code with each number for every time I want to buy something and when I'm done with the list I go back and get a new code-list instead of having to change my creditcard number every friggin' time!
There is no general way to upgrade the Linux kernel without restarting the kernel, either by a reboot or the two kernel monte.
If you're a kernel hacker, you could probably rig up a debugger to do this, but it would require a *LOT* of skill. Something a sysadmin wouldn't have.
If you need web hosting, you could do worse than here
..the fact that corperate... ...one of the largest corperations...
by the way, those words are spelled "corporate" and "corporation".  too bad they can't afford literate help...
if i'm a grammar nazi, you're an illiteracy nazi.
Trust me, it broke, lots of servers. At my previous job as a sys admin I had the "pleasure" to see after installing SP5 one of the NT servers crashes after about 3 minutes of activity...
Service pack 6 also broke the Lotus notes (I think, or was it Domino?) servers, until came the 6a service pack..
I guess thats life with MS patches. Test on lab before put on the production servers...
Hetz (Heunique)
Test environment? How in the world are us five-figure sysadmins going to get the budget for realistic test environment past the board at our cash strapped non-profits? Do I use my own equipment, at home, outside my 75+ hour work schedule? When will I have time to wax the CEOs car?
We've got seven NT servers and two *nix boxes, each doing a different task, fom SQL to Exchange to web serving, and everything in between.
I wonder what the test environment would look like for that.
Would you like to make a donation?
Very True. This guy shouldn't have been modded "Troll". If moderatore/slashdot/posters/etc... can't say anything nice, we are talking to ourselves. Let the FBI be the bad guys here. Use quotes from what the Story had to say for the negitive and concentrate on the positive.
"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."
"I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around."
That is totally true, for some ass kissing is enough.
"In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things."
For the preceding statment...
Solaris==true
FreeBSD==wrong question
Red Hat (based)Linux==true
Debain Linux==false
If you don't know Debian let me teach you...
apt-get update [return](sync up database)
apt-get upgrade [return] (update all updated packages)
Thats it, all updated up to the minute. Even if someone is waiting just for your box they may never get in!
"I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid."
"less clueful"---->probably, I honestly think most people here are tring to help you discover what we have discovered about computers and the good side of the source.
"(less) responsible"---->If anybody tells you that they just a jerk. They are "fucking stupid" They don't speak for everyone though. :)
Novel theory: Modern Man evolved from psychopath
I won't argue that installing a blank password isn't bad. It is.
/" to consider.
But so what? Your DB shouldn't be accessible to outsiders anyway. It should be "hidden" somewhere unreachable, preferably in nonroutable space (RFC1918). Your applications need to reach it. Outsiders don't.
Of course, using UNIX is no magic solution. I know of a company that deals (if they still exist) with *money* in their DB. The child DBA installed Sybase on a public IP and left the password blank. That he did this on a Solaris box didn't make a difference; it was still stupid.
Needless to say, they didn't bother with a firewall.
Back to your message: hardcoding *any* password is an invitation to problems. I know of a different company that had a password hardcoded throughout their software. This was a password which provided login access to the web servers (among other things). Of course, an ex-employee of reduced morals exploited this and gave them a nice "rm -rf
It wasn't the root password, so it didn't kill everything. But it took out all of their application software.
They'd have changed the password more often, but "it was too hard" to do so because it was encoded all over the place.
We won't even discuss the wisdom of how this company organized their file ownerships and access rights.
So the blank password is really a red herring. Access to the DB from outside is wrong. Hardcoding any password is wrong.
And these are wrongs that can be committed on any OS.
Too bad Windows Update is not kept updated. Follow Bugtraq, and subscribed to the MS lists for awhile. They have fixes available for download for weeks to months before they show up on Windows Update. You can't depend on that service, you have to poke and prod, and keep your ear to the ground yourself.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Thank you for goign out of your way and point out the obvious :)
:)
...
I clearly said, one of those clueless types. The reason why there are a lot of clueless types is MS marketing (you dont need a 6 figure ms admin, its easy to use!) and the fact it does seem very easy to use, just harder to get right in practise
A good sysadmin with experiance would know to duplicate the production box (hardware, services, configuration, everything) and install the SP on that first. Test every application, double check again, and then after a week of making sure it didnt break anything, install on the production server.
However a clueless admin wouldnt do this. "If MS published it, and says to install it, why shouldnt i?!" MS does go out of their way saying its easy to keep the system secure, just install the SP
Its the combination of factors that makes the situation prone to accidents.
-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"
I installed RedHat 5.2 on a server on the internet at a previous place of employment.
I later quit that job. After that, no patches
were applied to that box, which was the company mail server.
I later heard, from a friend of a friend who still works there that the box was hacked.
When you put your credit card number into a web site, how do you know if they have a full staff
to maintain the boxes and network where your
credit card is stored?
At my current place of employment, an NT/IIS based web site was recently defaced. So they ran down
the list of measures required to close the holes
and sent them to the list of sysadmins for all the boxes outside the firewall.
Not all the measures where service packs. Some involved disabling RDO. Luckily, there were
no credit card numbers involved.
Kernel versions and service packs are not enough.
To greatly reduce the chance of being hacked, you have to have
good people given enough time to keep checking the
security alerts and changing the box configurations (both Linux and NT) to keep all
the known security holes shut.
"We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
=-=-=-=-=
=-=-=-=-=-=-=-=-=
Oh bother.
http://www.nsa.gov/korea/papers/sigint_background_ korean_war.htm
sCary is just the man! runnin' that shugashack.. err shacknews.. server and, like, savin' the world from credit card vandals on the side! man I didn't know he was into that whole bruce wayne/batman thing..
Nothing, we don't get nothing.
Your wallet is stolen and you can report to police, your credit card and personal data is stolen and you don't even know, even if the ones that were keeping the info knew that it was stolen.
All this is very flawed.
MY data belongs to me, I claim the right to have it myself and just me, I don't want to be stored anywhere.
If I show you my car you don't assume it is yours know, why the heck should retailerwhatever.com feel the right to keep my data in a database just because I showed them for the purpose of buying once in a lifetime? Don't store my data anywhere and if someone breaks in your computers, I don't give a damn thing them, it is your problem. But no... it has to be the other way, store my data, a criminal breaks in, takes it, I am stolen, you never tell me and now it is YOU that don't give a damn, after all it is me that has been stolen.
Sorry for the rant.
My uncles Card was stolen this year,
He ordered some robotics stuff,
It never came, but wierd charges showed up on his card.
When he called the place, some chinese lady awnsered the phone.
He ordered online, I wonder if it could have been stolen through this Crack?
The biggest problem isnt that people dont know they need to update, but that they dont have remote access to colocated or otherwise removed servers. If I have my box under my desk, its easily upgraded. If i have my box in an office 20 miles away on a nice t3 connection, its a little harder to do.
Mooniacs for iOS and Android
About the breakins you don't hear about...
That's a good question. Microsoft has even gone so far with Windows 2000 as to include Windows Update RIGHT ON THE START MENU! Heck, you can even download a little daemon that tells you ever time there's a security patch. Click on it, and it installs. Voila! Stupid admins.
For instance, at my employer, we often use a particular web server package with Windows NT 4. Our corporate standard is NT 4 with SP4 (I have no idea why.) When I go to install the webserver on a standard box, up will come a little message to the effect of:
We click 'Yes', and fortunately for us, the program works without a hitch.What is this product, and who is the far sighted software company that knows not to trust Microsoft's SP updates?
It's IIS. And the software house is Microsoft.
--
You are not alone. This is not normal. None of this is normal.
Don't forget, the easier to build an e-commerce site is to use, the easier it is to get screwed. Gee, Mr. Jeff Bozos, Internet Get Rich Quicker: "NT is quick out of the box and everyone uses it, well I should put my E-Business on it. Teehee, install and forget? Keen!" Urie the 3l1t3 Russian Haxor: "Haha! What is this? SP3? Time for me to beink getting pizza, with some person other than me's kredit kards! Da, is good!" Bozos: "Whuzzis? I don't know nothin' about upgradin' no servers and what is this here, 'Securitee Upduhate Neheeded?' This computer stuff makes me thirsty, what was the button Homer pressed?" Urie: "Yes, I would like 350 large pizzas, with everything, and borscht for 200. Nyet? No borscht.... is okay! Could you be makink design out of anchovies on pizza? Da? Could it be beingk a [mumble mumble] Be deliverink it to Mr. Jeff Bozos at junglebooks.com for me. Da, is good." What will Jeff do when he discovers that his valuable credit card database has been stolen? Will he call the cops? Notify his customers? Eat the anchovie pizza? We'll find out next time on, "As the Tech Bubble Bursts!"
"Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
I admin at a research lab, and the GSR's (graduate student researchers) are always asking me "Can you install Matlab6"? To which I reply, "Whats wrong with matlab 5.1?" ... "Well, the EE department has matlab 6..." "We will to, as soon as you can tell me why we need it."
Granted, In this case the windows patches were definatley not-optional, but I understand the mind frame that wouldn't wanna install them.
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
Yep, service paks don't get installed because we've learned to be afraid of them. And even if the SP fixes a security hole, MicroShaft has a nasty habit of introducing brand new features in the service pak, with brand new security holes.
At my previous job, I saw firsthand an MS SQL application being hardcoded with the username and password. I was shocked. I expressed my concern, but nobody seemed to care.
-- Will program for bandwidth
If sys admins have their hands full taking care of just one OS, imagine the exponential number of exploits and necessary patches many operating systems would require. I fail to see how fewer exploits is worse than many exploits. I don't buy the argument that there's obscurity through diversity here either; an exploit is an exploit is an exploit, plain and simple.
I charged a big conference fee to my visa card a few days back, got into work the next morning and there was voicemail from my bank, please call. I did, and was told that my card had been "compromised" along with lots of others and I'd need a new number... I thought it had something to do with the conference, or the fact that I'd bought something from amazon in the previous week. -T
Unicenter TNG. Login scripts. Repackaging messy installs with WISE Installer. Smart NT admins know how to do this stuff. You Don't.
I can't wait to tell the sysadmins about your last point: "same amount of time." Both the UNIX and NT guys will find that hilarious.
Be sure to ask them about what they run on those superior UNIX boxen. I wouldn't disagree that a Solaris or even BSD box is great for basic network services (DHCP, DNS, HTTP, FTP) but there are some big time business applications that aren't ported to UNIX. The business I work for uses a system that scans, OCRs, indexes, and permanently archives tens of thousands of documents a day. The software we use is NT only, and it works incredibly.
Not everything that a business needs is a simple connection daemon or a fucking java servlet.
1) not programming to NT specs (something broken that you were depending on got fixed) or
2) using a compiler that is guilty of #1
Who said that the cc numbers were actually on the webserver? If you can attack the webserver in such a way as to have it execute code, it can easily connect to a second db server. OR... You can see the source code, grab database passwords often in plaintext in the sourcecode, and hit the SQL Server database with enterprise manager remotely - unless they've wised up and had SQL server ports blocked except from trusted sources. From what I've seen, that's doubtful. People will spend thousands on a firewall for SQL server rather than just restrict access to specific IP address at the network card level.
creation science book
Hotfixes are the updates to the specific files affected. Most are available to d/l off the web. If you don't do this your boss should be fired.
Incompetence is the >87% norm in the world of nt admin. It's amazing how unprofessional these self-styled "engineers" (who have never taken a physics or calc. class ) can be. They completely lack the ability to analyze problems, devise solutions, and implement them correctly.
Microsoft DID toughen up the standards for the Windows 2000 MCSE test's. Hopefully this will flush out at least the bottom 1/3.
Yes sir. Microsoft has pleanty of management tools like this that were added into Windows 2000 server (most likely only in the advanced server though).
Well, first off, I said NT, not 2000. However, let's go with your response and take it as given that 2K is NT 5.0.
I can do this with Solaris workstations, even PC-hardware Solaris workstations. I can do it with the free Solaris downloadable off the net.
I can do it without buying anything extra.
I can do it from anywhere in the world that has a telnet client available, or for that matter just a web browser since I can use a Java telnet client.
And, more importantly, I can set it up on Friday afternoon, and have it happen automatically on Sunday morning. Reliably. Setup takes minutes.
-
It's tempting to do a Junkbuster patch - just needs a separate lookup on www.netcraft.com
Why? Junkbuster can look at the "Server" response-header all by itself. It doesn't need netcraft for this.
In light of this mess, I'm even more nervous about MS-backend shops than I was before. Is there an easy way to tell, off hand, if a given site is implementing an IIS-based solution? I.e. when I'm looking for hardware on Pricewatch, I wouldn't mind spending a couple extra bucks (on a $100 drive or whatever if I could find out a little more about what backend the company was using...
I just checked - you are absolutely right, the patches it just added to my ServicePack 6a'ed NT 4.0 Server were - IE 5.0 SP1 and a miscellaneous "security" patch. It didn't come close to adding the 27 patches available for download from the NT 4.0 download page - nor did it even try to do apply IIS related patches (when I have IIS installed).
The question is do you think you're IIS server is secure because you used windowsupdate?
This post does not exist
...so simple nobody is doing it. If sys admins don't like this new feature from MS, perhaps they should go back to serious patching of their machines. Otherwise, someone else will be there to do it for them
Hmm. I think it is in the manual, but don't quote me. I'm at home, and can't be certain. You're right though, it definitely was NOT obvious that an MDAC update was needed.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Be fair. The MDAC and Y2k updates were never "part of SP4". They just came on the same CD with a neato batch file that did the SP update and then ran the MDAC and Y2k updates if you needed it.
I suspect that too many people "accidentally" updated their MDAC with this process and then realized that their improperly-coded apps require a specific (older) MDAC version. Oops. ODBC broken.
So, in the interest of not causing those sort of headaches, MS simply removed the automated option to install all the MDAC and other Y2k updates for SP5.
That means it's a Post-SP1 hotfix that will be released as part of W2k SP2 when it comes out.
Actually, the version of SP4 I used, and still use (I start with SP3, then apply the rest in sequence) is the 128-bit download version. I have SP4 on the SQL 7 cd, and SMS 2, but I prefer to use the downloaded version for my NT service packs. To use the cd, I either have to put up with the neato-keano GUI crap, or dig through the cd to find the installer. Easier to download it, and keep it in an easy to find place. Anyway, the point of this was that the download version does bitch at you if you haven't updated MDAC, and don't have the correct version of IE installed.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Yes, you can run ssh on windows. You can even install korn shell and get SOME scripting capabilites. What you can't do is effectively deploy software updates in this manner.
NT4 Service Pack 6a. Thanks for bringing this up. Try grabbing an older NT4 CD with Service Pack 1 and installing 6a on it. I've done this several times... I refused to believe fellow NT admins that upgrading from SP1 to 6a was a bad idea. That is until the systems I installed blew up and died once I configured IIS and JRun, and theirs didn't. Make sure you install 3 or 4 before installing 6a or the system will be VERY unreliable. One of the boxes I did this way bluescreened and never booted again.
I can't wait to tell the sysadmins about your last point: "same amount of time." Both the UNIX and NT guys will find that hilarious.
---
because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things
:)
Well, most commercial *nixes do have "huge monolithic service packs". I've just finished setting up ten Solaris 2.7 servers, and all I had to do was run the Maintenance Update, then the latest Recommended package zip from Sun. Basically, two service packs.
You've just been looking at the Linuxes, where this level support is not there yet (although Debian and apt-get are getting there.)
Of course, if you routinely install GNU or open source software, you'd have to maintain that yourself, but any competent admin can roll their own update tarballs.
Admins aren't stupid because they use NT. It's just that stupid admins prefer NT. I've met some really competent NT admins, although for some reason they almost always look like they could use a lot more sleep.
In some cases, yes, it's how things get fixed. When a company does something stupid that endangers or inconvienences its customers, the only way to get them to change their behavior is to make sure the financial impact to them is substantial. Hiring incompetant admins or overloading your admins to the point where they're always putting out fires with no time to keep up with security will save the company money. So you need to go to court and make sure it costs more to do that than to hire enough good admins to make sure your site stays secure.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
In what sense?
He didn't get the job, but a "trained monkey" did -- the guy converted the entire colleges WinNT domain setup into various workgroup shares because he didn't know how to admin NT.
Free Techno/Jazz/DNB/MI Music by guys obsessed with monkeys!
> I can use ssh to do that simultaneously on several hundred systems. Can you say the same with NT?
www.ssh.com. Remote administration for NT. Please research your information before speaking out of your ass.
> The fact is, NT service packs are a horrible mess and hassle. You have to remove the pack and reinstall it frequently, and if the pack is fixing support for hardware you NEED to access the system, you've got a serious issue on your hands.
Really? That's news to me. I'm using NT4 with Service Pack 6a without a hitch. Perhaps it's just you.
> Oh; using wget and ssh, I can automate this process for hundreds of machines in minutes. How long does that take to set up in NT, again?
Same amount of time.
Thats my problem with windows in general. It tries to hide to much from you. When it works, its nice i'll admit, but if it doesn't, well you're screwed.
Windows assumes the user (in this case admin) doesn't know what they're doing. Appaerently, Windows is right...
However, I do feel that ecommerce sites should be held somewhat accountable for a lack of security. Maybe the banks that offer the credit cards should sue particularly insecure sites.
LedgerSMB: Open source Accounting/ERP
It is not a good piece of software. If I could set the interval to once a day, it maybe would be a good piece of software. I don't want anything on my system that scans my system (that's part of the notification process) and goes out to an external web site every five minutes. That begins to be a noticeable burden on my system.
I see this as an advanced example of Microsoft idiocy. If they were going to hardwire in a value, how about once a day? As it is, they have given sophisticated users (the ones who want the maximum control over their own system) every reason not to use this bit of software.
Fortunately, it's the sophisticated users who are likely to have other means of staying up to date. I'm subscribed to every security mailing list I could find. If something comes through and it's about a vulnerability in a Microsoft product, I go check Update to see if the fix is there. Frequently, it isn't, since there seems to be quite a time lag before things are posted to Windows Update. I usually end up addressing a problem long before the fix is available via Update.
For the casual user, maybe the check every five minutes works, but only because they don't know enough to be bothered by the fact that Microsoft is forcing them to run a task every five minutes. There simply is no reason why it couldn't be a check over a longer interval.
Bibliofind.com got hacked recently (or more accurately they noticed they'd been hacked) - they sent all their customers a mail explaining what had happened.......
**Vanuatu or bust**
Yes, I would say a lot of them are being run by NT admins. Not all, but a lot.
:)
They want the same Gui/DontNeedToKnowHowShitWorks install and configuration utils. Most of the time I come accross people running RedHat it's often companies where their NT admin wanted to try something different but still wanted their hand held, or a "user" who thinks that clicking buttons in webmin/linuxconf makes them a "Unix Admin".
I've yet to meet any network/server that was setup by anyone with more than hobbiest experience who runs RedHat.
Of all the things I need to deal with on a daily basis, regular fear of my servers is not one of them. Hence I avoid RedHat like the plague. Besides I'm not a fan of rpms, but that's another rant
Hopefully the presence of this software will help those people that haven't been actively maintaining their systems realize that this is something they should take more seriously.
Good call on this though. `8r)
--
Gonzo Granzeau
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Cool! I'll have to use this utility to select the next web sites I'll crack. I used to have to run tons of different 1337 scripts to accomplih that same goal, but now it looks like I can do it all with one app. :)
:) I was joking when I wrote it, but I was trying to make a point, too. Whenever these powerful security analysis tools are released, often times they're equally useful to black hats as well as legit folks. Remember when that SATAN tool was released years ago?
I'm not sure why this was rated offtopic. Troll, maybe
Hopefully, maybe the tool they're releasing can't even diagnose the flaws of NT directly. Maybe you have to run it directly on the NT box you're looking at. I hope that's how it works, because otherwise hackers will have a field day with it remotely scrutinizing people's boxes.....
http://www.bootyproject.org
OtakuBooty.com: Smart, funny, sexy nerds.
Who says the internal machine has to be a database connection?
For example...
Use a message queue service like MSMQ or MQSeries to setup a one way communication gateway between the web host and the internal order processing server.
I don't know, just seems dumb to have customer data available on the web host or on a machine directly accessible from the web host.
Um, this is on the server, where Microsoft dosen't have a monopoly, not even a plurality. According to netcraft, that title belongs to Apache.
So what's microsoft's problem?
There are a number of them, as I see it:
Bruce Schneier once called security a "process, not a product". Microsoft has tried to pretend that they are selling a product. That you go to the store, buy Microsoft Foo 2000, pull the disks out of the shrink wrap, and use it like you'd use a television or a vacume cleaner. An Operating System is too complex of a beast for that to be the case, and no amount of Wizards or flying folders is going to change that simple fact.
Jordan Bettis
``Wherever you go, there's another stupid sigfile quote.''SP6 broke everything that required a TCP port higher than 1024, IIRC, that was running with an administrator account.
On our PDC, we had our vendor come in to apply SP3 after it had been out for a couple months. It took 5-6 hourse, and a couple dozen reboots, since explorer would hang immdiately after login. All that could be done was reboot, again, and again, and again, until finally it came up.
SMS 2.0 gave me fits last year, as it claimed it required "NT4 SP4 or later, IE 4 or later." Well, I installed SP6a and IE 5.0 SP1, and the little fucker just wouldn't run. Turns out that the MS "Cumulative Service Packs that contain all updates from previous packs," DON'T contain the MDAC or Y2K updates included w/SP4. Bastards.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
It's also the big service packs, and the fact that each one breaks other things in addition to the bugs it's supposed to fix. If an NT admin wants to install the latest service pack because of security concerns, management is likely to say no. Why? "Everything works fine now, a new service pack is likely to cause more problems that it's worth".
Of course, a good admin should find out what security flaws are present on his system - but the only way to fix it may be to disable some software. At least on Linux I can only update the things I know have problems.
How about the reason that SQL server installs with user sa and no password
Having a standard or empty password on install (unless the user changes it during installation)is normal - somehow you need to access your newly installed system. Of course, any decent admin knows he should change that password...
Why does most apps that use SQL hard code this fact into the app so you CANT change the password
Plain stupid programming. Unless you write an unimportant little inhouse application without real security needs, don't do it this way.
Giving an application with hardcoded passwords to a customer will make you look VERY stupid.
C - the footgun of programming languages
Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing.
It's also that unix systems tend towards programs which each do a single task. With NT being more huge programs doing multiple tasks. The same idea applies to patches vs "service packs".
Thus it's probably easier for someone to work out what a un*x box is actually doing than an NT box in the first place.
I think that the real problem here is that a lack of diversity in OS's creates huge security problems.
It may or may not create security problems, what it does do however is make expolits far more serious.
A software monoculture carries many of the same risks as an agricultural monoculture.
Even more so if all the distributions are binaries. Since the likes of buffer overflows depend on what's in the binary.
This is what always gets me about Windows NT. It is absolutely insane the crazy dancing-in-the-moonlight, chickenbones-waving stuff that you have to do to get it to work. Every update requires a reboot, or three. And half of the fixes break more things than they fix.
The fact of the matter is that Windows is much harder to keep up to date than even the cruftiest of *nix boxes (well, maybe not the cruftiest).
To all those claiming MS sucks, Linux rules...
That's funny, I haven't seen any of those. Maybe it's because I'm viewing at +2, but all I see are people saying "before you say MS sucks & linux rules..."
It's really getting annoying. Stop being paranoid and don't respond to trolls.
This may be something obvious that everyone other than me knows... scenario: I shop at x.com, and my credit card info is stored there. x.com gets hacked. - Does x.com have not notify anyone that their card info has been stolen? - If so, who? Card issuer? Card holder? - If the card issuer is told a card number is comprimised, do *they* take any action? ... or, is it up to us to notice funny charges?
Mike
Windows assumes the user (in this case admin) doesn't know what they're doing.
Whereas with unix type systems the admin is assumed to know what they are doing.
Open up IE, go to windowsupdate.com and download your patches.
You forgot the weather! That's one of the most important considerations when patching MS software. Don't ever, EVER do it in foul weather. A good UPS is no protection from the bad juju. After rebuilding our Exchange Swerver from the ground up as a result of Service Packing during a heavy downpour, I've learned my lesson, by God!
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
He is correct, the idea is very nice, but the time configuration should be user contolable, I also don't think that it should scan the system every time, it can just as easily keep a small database and update it when a patch is being installed.
--
Two witches watched two watches.
Which witch watched which watch?
> Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...
... of not having NT4 service packs break a functioning system, *cough smp & sb live & sp4, = reinstall, etc cough* and if they could get *some* sort of guarantee that the hotfixes won't break something else.
e.g.
How fast was NT4 Service Pack 6a posted after 6?
*shrugs*
I buy a lot online and it disturbs be that this goes on. Why haven't the companies informed their customers when their security has been breached?
Furthermore, how many Unix-guyz ritualistically install security updates? I think that relates more to the individual person's diligence instead of what OS they use. Of course, you could argue that more diligent people use Unix, but that's another story all together.
---------------------------
That's not what I meant.
Hmmm...,
neither does rpmfind --latest, it seems.
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Hear! Hear! I, too, think that "Moderately Reasonable Guy"s should be more appropriately addressed as they truely deserve. All too often their voices stand out so distinctively among the prattling cohorts... and all of the time their mindful sentiments are no less compassionate.
I would like to suggest a new age term for these brave distinguished kindled spirits....
"Karma Whores"
Long live RMS! Long Live RMS!
It's a combination of both. As Linux gains popularity and takes on more novice users, exploits of Apache have skyrocketed, almost to the point where Linux/Apache is as 'sploit-prone as NT/IIS. This has less to do with the inherent security of the OS than with the practises of the people who deploy them. I suspect you'd see the exact same situation happening if OpenBSD were gaining popularity the same way that Linux has recently.
ObJectBridge (GPL'd Java ODMG) needs volunteers.
Finding God in a Dog
I'd like to start seeing some liability lawsuits against companies whose admins apparently can't be bothered to keep up with the current security updates. Either the admins can't be bothered because they don't know their ass ends from their elbows or they are so overloaded that something slips by them. In either case, the company is at fault.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
"Why not use a proxy to trap this? "
Because it needs to be simple for the idiots.
Except that the admins have to work out that in 1) Microsofts techno-bable means that they have a serious problem with their machine.
They have to then fight Service pack hell, and finally get plan down time on a system. thats supposed to be available for the 5 9's and reboot away.
Finally all the security announcements are written in legalise for one and only one purpose only. Admonish MS from "due negligence" and cover themselves
Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities...
I'm a programmer. I've worked with many companies, both Windows based and UNIX based, and in my experience there's plenty of clueless sysadmins to go around. In fact, while I have no numbers to back it up, my experience suggests NT sysadmins are MORE likely to be running patched systems than UNIX sysadmins... Not because they are more clueful, but because its easier to install one monolithic service pack than hundreds of seperate patches to deal with specific security problems as is the norm on the UNIX side of things. I'm not saying the NT 'way' is better -- you certainly generally have to wait longer for a fix to a known problem on that end, but to suggest that sysadmins who use NT are someone less clueful or responsible just because they are running NT is just, well, fucking stupid.
blessings,
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
Sometimes it's not the Sysadmin's fault, either. I'm a Sysadmin for a major company, and I was horrified to learn that most of our production servers are running SP4.
"This needs to be fixed!" I cried. "Let me do this right away!"
"Sorry, but these are our production servers," they replied. "They're running the in-house applications that the engineers wrote. Upgrading the service packs will break their code. We've told them that there's a huge security hole, but they refuse to recode, and the executives refuse to make them."
Anybody who thinks NT sysadmins live in a vacuum and don't have to deal with PHBs every single day "has been eating stupid sandwiches".
Any sufficiently well-organized community is indistinguishable from Government.
Whereas with unix type systems the admin is assumed to know what they are doing
which in my experience, is often wrong.
All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
Would you actually use an automatic update if it was available on NT?
THIS SPACE FOR RENT
Right. So the thousands of unpatched RedHat systems that the ramen worm (not to mention billions of script kiddies) has been exploiting are being run by, what...NT Sysadmins?
People who live in glass houses should exercise care when beating their heads against the walls.
News for Nerds. Stuff that Matters? Like hell.
Comment removed based on user account deletion
hmmm... neither does "make world" damn... maybe I need a service patch
Success is as dangerous as failure, hope as hollow as fear.
We wouldn't want to give the illusion of frequent downtime, would we?
That still doesn't show how multiple exploits are better than one. I don't think that's the most apt of analogies you could have chosen.
Comment removed based on user account deletion
Carousel is a lie!
He brought down you network for 2 days? He needs to go and get MSCE certified. If he's that clueless he could probably pass with flying colors.
This Wiki Feeds You TV and Anime - vidwiki.org
"Within a day or two, the Center for Internet Security will release a small tool that you can use to check your systems for the vulnerabilities and also to look for files the FBI has found present on many compromised systems... "
:)
Cool! I'll have to use this utility to select the next web sites I'll crack. I used to have to run tons of different 1337 scripts to accomplih that same goal, but now it looks like I can do it all with one app.
http://www.bootyproject.org
OtakuBooty.com: Smart, funny, sexy nerds.
NT/2k is really pretty secure if dumbass admins would apply service packs and hotfixs. And shutdown uneeded services. And employ IP security. But most dumbasses assume NT/2k does it all for them because it has a neat-o gui. No different then securing a *nix host, when you get down to it...But most people would rather just whine. How secure is redhat, or most distros, out the box?
"Warning! You seem to be about to send your credit card # to www.esomewhat.com. Since this website is running the Microsoft IIS Webserver (which is known to be very easy to hack) you should think twice before doing so!"
--------------------------------------
.. that microsoft has a perfect monopoly.
I'd love to be a trillionair, be responsible for screwing millions of people in the arse, and own the entire world, all at the same time. Bill Gates, your my h3r0.
I believe that the windows update tool used in IE4 or 5 can offer to update IE-related fixes and a basic Service Pack offering, but it doesn't offer OS-related hotfixes. That's where the gold is. Go to http://www.microsoft.com and in the upper-right there's a black bar with a fancy menu that can take you to Downloads. Select your product, sort by date and start the madness.
'unskilled' is a right word, even better might be 'unknowing' ;) and currently I'm following a course on the development of secure software. Now I might say I know more-than-average about computers and I have some experience with a real-life company computer system but when the professor presented us a list of the most frequent security issues and a bunch of real world exploits the ease with which such an possible threat is introduced in the code made me feel like a 10-year old kiddie fooling around with the pc.
...just my 0.02EUR... :)
I am a CS student (yes, same university as the guys behind AES-Rijndael
Fact is that a LOT of the sysadmins out there have no clou about security and the stunning amount of threats that exist in the software under their control, just waiting to be discovered and exploited. It should be mandatory in every decent computer related education to attend a course about security in software, not only for sysadmins but for software developers as well.
Knowledge == power!
and oh BTW: the professors main advice on how to avoid the majority of threats: use Java!
I'm going to be slightly vague here.
I do software development on Windows NT at work. One of the programs I work on started development on a Windows NT 4 SP3 system. Had everything working just fine, including this little (okay, slightly flakey) graphics package. Got switched to working on something else, and during this "upgraded" the system to service pack 5.
A couple months later, I switched back to the program. Hadn't made a single change to the program. Guess what, this little graphics package was suddenly giving me memory access errors. No changes except that service pack.
Service packs are dangerous. If you have a system that you think is "working just fine" I can *easily* understand not wanting to apply a service pack. You don't know when a service pack is going to break something, or, even worse, fix something that your program depended on being broken.
I'm not saying not to apply security hotfixes... but bear in mind you may be introducing problems, as well as correcting problems.
I'll catch it in metamod and dock you a karma point.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
How about the reason that SQL server installs with user sa and no password. Why does most apps that use SQL hard code this fact into the app so you CANT change the password. How about the fact that corperate won't allow latest service packs to be installed,(I'm not allowed to have anything more than SP3 on the NT here... I obviously go against their "rules" to ensure safety, but I could be terminated for doing so.
(NOTE: I work for one of the largest corperations on the planet. we aint no rinky-dink operation)
How about the fact that SP5 basically broke every NT server on the planet, so we are afraid to apply patches from MS....
It's MS, you live with the flaws.
Do not look at laser with remaining good eye.
>How fast was NT4 Service Pack 6a posted after 6? I vividly remember it being pretty much one working day (maybe 2 or 3). I was pretty surprised to see it pop up the next day after I had just installed 6 using Windows Update. (yes, I was a freak about checking for updates... also, I installed updates for other machines a LOT)
And if the POS system can't funtion unless known vulnerabilities are exposed then the boss should be fired.
Then don't install the service pack, install the hot fixes!
--
Two witches watched two watches.
Which witch watched which watch?
First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.
.. This kind of horrors strongly demotivates sys admins from just downloading the service pack, and installing it..
Secondly NT service packs do have a reputation of breaking stuff more then fixing them. This is partialy just 'FUD', but it has happend @ my company a few times that a sys admin (yes one of those of the clueless types) installed a service pack on the main NT server, it broke NT, exchange and the MsSQL server, and the network was escentialy down for 2 days
Just my 2 cnts
-- Chris Chabot
"I dont suffer from insanity, i enjoy every minute of it!"
On a related note, I saw a commercial a couple weeks ago for a credit card with zero liability for false charges. That is, the $50 is lowered to $0. That doesn't really seem worth it, but I suspect most people are ignorant of their rights (assuming my first paragraph is correct).
You can automatically login by clicking
# telnet www.microsoft.com 80
Trying 207.46.230.218...
Connected to www.microsoft.akadns.net.
Escape character is '^]'.
GET / HTTP1.0 [\n\n]
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Fri, 09 Mar 2001 02:51:16 GMT
Content-Type: text/html
Content-Length: 87
<html><head><title>Error</tit le></head><body>The parameter is incorrect. </body></html>Connection closed by foreign host.
-----
Yes, you can set up the server to fib, but most servers will tell you what they're running, so it should be trivial for Mozilla to give warnings for particular servers.
"with their freedom lost all virtue lose" - Milton
Exactly because of this, it's advised not to keep your DB connection strings in plain-text, I know that it's a common habit to put a lot of your bussiness logic in a COM object and just call that, make it much harder to get your passwords.
--
Two witches watched two watches.
Which witch watched which watch?
Only if they have been stoned and petrified first......
Thus it's probably easier for someone to work out what a un*x box is actually doing than an NT box in the first place.
.. possibly some.
MUCH easier. At least IMO anyway. I run specific daemons for each task and I know what EVERY program on the process listing is doing there. Sure, NT has its services and its process listing but it just somehow seems more 'detached' from what it's doing.. I don't know why I get that feeling. Predjudice?
It might be just how NT admins are, but the ones I've known just have no clue about what every process the machine is running actually DOES. They know what they 'installed' via pointy-click but it's all because it's dumbed-down so they can 'handle it'.
--
Delphis
It says million of credit card numbers were gleaned, and who knows what else, but, I'd really like to know which, if any, large companies have been exploited by this. Yes, it's MS software, but I'd like to know who's running it.
-Andrew
Nt 4.0 Security Patches are here.
This post does not exist
Anti-Linux Jihad: "Every time something goes wrong with Microsoft software all you Linux wackos go nuts claiming that MS sucks and Linux r0x! It's totally unfair, Linux has problems too! And you can set up your MS software to fix the bugs and security holes! Yadda yadda! Fahrvergnugen!"
:)
Pro-Linux Wacko: "This just proves that MS sucks! Their software sucks and causes problems to no end! Microsoft should go to Hell and DIE! And Bill Gates too! Free Software is the One True Way! All hail Richard M. Stallman!"
Moderate Reasonable Guy: "Okay, okay, settle down children--*BLAM BLAM* (shot by Anti-Linux and Pro-Linux Wackos)
Okay, we've gotten that out of the way. Maybe now we can have a reasonable conversation instead of the usual prattle.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Actually the same claims to liability still hold, but you might be a couple of weeks without any cash.
Just a Tuna in the Sea of Life
Oh yeah... the banks are actually quite happy when CC#s get stolen. I had mine stolen a few years ago, reported it stolen, had my number changed, and the @#$%#%$^#% bank continued to allow charges on the old number through afterwards! And this was after it was over the limit too... so no, don't assume the banks will notify you if anything could have happened...
Consequently, of course we care more about what it's doing! Those other processes/users are our neighbors! And even recreational admins spend lots of time tuning their boxen; is this analagous to perfecting your living space?
I'm straying off topic. In short, unices give a virtual sense of place, which then ties into all sorts of hardwired emotional responses for dealing with our physical environment.
Am I nuts, or is this good advice for a UI designer??
For example, I can put security.debian.org in my /etc/apt/sources.list, and set cron to run apt-get upgrade nightly. This will automagically install any security patches with no user intervention.
I hope you only do that for your desktop machine, and not any production servers.
An example for why this is a bad idea: I tried upgrading Zope today in response to a security alert for Debian. I install the package as normal, however, when I try to access the web server, it asks for a password, and doesn't accept any valid ones. This is for the front page!
If that had happened during the night, our server would have been unavailable for hours. As it is, I just re-installed the old version, so our downtime was limited to just a few minutes.
I usually try to test out upgrades first, but since the last Zope upgrade went very smoothly, I started to get cocky (and thereby less careful).
Another good (IMHO) update site is updates.com. It's a ZDNET site, but let's not hold that against it.
It shows you a list of what you have installed that has been updated, whether it's MS or not, OS or not. I'm not sure about their update frequency, but they tend to have updates relatively soon after they appear.
Link for the update page is here.
daBumI am dyslexia of borg - your ass will be laminated.
Uh... OpenBSD is not created solely by one developer. I happen to know about 4 developers of the OS and they're cool as all hell. So you would rather run an insecure Operating System solely because the developer is an ass? Damn you just described Bill Gates in his completeness.
I don't care who is writing it as long as my data is safe I have no concerns over someones attitude.
360 degrees of Karma
I keep a seperate card specifically for online transactions. It has a woefully small credit limit so I'll never be out by more than I can afford.
Almost every credit card I know of does not hold you responsible for transactions on the card if stolen. When my card was stolen I paid $50 (Maximum liability) even though there was over $8k put on the card.
Apt does MD5 checksums before downloading anything.
War is necrophilia.
The reason for not installing service packs is simple: service packs typically break the server or the software that's running on it. It's worth the risk of getting hacked to not accidentally kill a mission critical server by installing the defunct service pack. I've worked on many an NT server that simply cease to function after patch application. Or sometimes if the server is still running, the mission critical application that needs to run finds some incompatibility or conflict to prevent it from running on the new patch level.
I will admit that Windows 2000 Update has greatly improved the patching process over Windows NT, but NT admins always have that fear that the next patch is going to kill the server and have management bitching about 8 hours of downtime.
I am very surprised MS didnt' fight to have this information surpressed. What makes me curious is why they didn't publish info on all system exploits and the effects, or is it that MicroSoft SysAdmins are that notorious. Not flame bait I'm just posing a serious question.
Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities
Because apt-get update;apt-get upgrade doesn't seem to work on my NT boxen...
Often it can be impossible to get approval from management to upgrade like this with no testing
I can't agree more. Usually there are two type of management:
1) It's from Microsoft it should have no problem, APPLY IT ASAP!, as a side note if the box broken it's your fault. Question?
2) Test it before applying it to our mission critical *Lotus Notes* server! (Test?! How?!)
I previously work with manager of type 1). Usually I'd just lie and said it's applied, they couldn't tell the difference.
I now work with a manager of type 2), and hell, we buy an exactly duplication of the original NT server for testing. It's a SMP Xeon with RAID 5 build in. The cost to buy two servers+maintenance is even more than getting a much faster and stable UNIX box.
Any NT admin out there work with management style other than 1 and 2?
I guess it is actually interesting that the FBI is breaking their usual policy, but other than that, what's the news here? Nobody, not even MS, surely, claims that MS products aren't chock-full of pathetically naive security holes. The thing that really gets me is that not only does MS have more than their share of run-of-the-mill security holes due to oversights like buffer overflows, but they have vast numbers of known problems due to deliberate design "features".
Our company refuses to use MS products for *anything* whatsoever that requires the system to be accessed by the outside world. Internal use only.
Actually, I take that back. We once had a project that for some BS reason or other could only be run on NT/IIS. We forced our guys to put the box outside the firewall so that when it was hacked, at least the kiddies wouldn't have access to any other machines.
I work with some world-class NT engineers and they know their shit. While I give them a hard time for not using a real OS, I have to admit that they've proven to me that it's the quality of the syadmins, not the quality of the OS, that really matters. (I still think windows sucks, but I admit you can make it suck less)
However, even God's Gift to NT can't change the fact that in order to do certain things in windows (service packs in particular) you have to jump through so many hoops, and the multitude of reboots (and hence downtime) from those hoops, that many companies can't or won't afford the downtime. With *nix and most other OS's you aren't nearly so screwed and can address the vast majority of updates/fixes etc without incurring any downtime.
And that is one of the main reasons these known holes in the Windows world are so common and exploited. Not to mention that it has the added bonus of reinforcing the perception that NT Admin==Clueless Monkey which we all love to laugh about. :)
Do not taunt Happy-Fun Ball
You're right about avionics - in the year 2001. But in 1950, the avionics gap wasn't anywhere near what it is now. Also, most kills at the time were still gun kills, which are implemented almost exclusively through the skill of the pilot himself.
Read the EFF's Fair Use FAQ
I think Microsoft actually has a pretty good mechanism for distributing patches, WindowsUpdate. They've even got a little remimder tool to inform you of critical patches. There are other, more elaborate, tools if you care to look for them. The big problem I have with this system is that setting up automatic failover is a pain in the ass with Windows (especially NT), so applying patcheds requires reboots which causes downtime. However, the MAIN problem is definitely inept NT Admins. I'm an NT admin and, to a very large degree, most NT admins I've seen were incompetent. OTOH, I've met very few truly clueless Unix admins, and those really were just "obsolete", only knowing Unix from the big iron days.
It's kinda like monitoring network perfomance using SNMP rather than a passive packet sniffing program (on a separate machine connected through a hub and placed in a strategic location on the network). Using SNMP is just going to throw off the results and slow down the network because it's throwing more traffic on the network.
Of course why you would want to use anything Windows for such large scale operations instead of using an AIX Mainframe is beyond me, but to each his/her own.
I use VNC on all the machines (including desktops) at work - it works great.
Of course I'd much prefer operating systems via console, but saying that you can't remotely operate it isn't true at all.
do you even think before you spout this kind of drivel?
You sound like one of those $12/hr daylabour tech monkeys that your so-called "gurus" like to hire for cleaning up messy wiring jobs, scrubbing floors, breaking down old equipment, etc.
Nobody is saying that greater productivity and the like are bad in any way! It's just important to balance these things with a bit of common sense about security. If you don't think about the security of your systems, who will?
EOM
...didn't bugtraq give up on tracking M$ bugs, due to the fact that M$ acted like they didn't care if there were holes or not?
Need a Linux consultant in New Orleans?
Yes, and any particular company has to put all it's eggs in one Server OS basket or risk insanity. So I guess a company should take great comfort that there are OTHER companies somewhere out there that didn't get hit with the exploit that brought them down. Wonderful.
Ok my karma is maxed out. When do I become Enlightened?
But watch out for Visa debit, whereby despite the cute Visa logo, your entire checking account and linked savings account can be siphoned and you will be left SOL.
People often fail to realize that each time a service patch is released, it means your system was vulnerable every single day from installation to the day you install it. Each service patch (well, each security-related service pack or hotfix) is in response to a discovered flaw.
With such a wide-sweeping operation as the one detailed in this article, who's to say that the security hole to be addressed by next months' hotfix isn't being exploited right now?
Trained hotfix monkey or 6-digit sysadmin, your IIS system is still vulnerable today to the bugs that go public tomorrow.
Which isn't to say that IIS is alone in this vulnerability, but it's silly to assume that keeping up to date with security patches and revs, be it Windows, Linux, Irix, or whatever, is a panacea to security break-ins. Your e-commerce architecture should be such that the credit cards are never on the same machine as your public server, and that the public server only has the ability to send CC info to the CC database, and never the other way.
Kevin Fox
--
Kevin Fox
1)Read Microsoft's secutiry bulletins.
2)Find sites that haven't patched the hole yet.
3)Crack the site using information provided by Ms in step 1.
4)Repeat.
It pretty amazing to me that commerce sites don't patch security holes as soon as fixes become available.
Jesus used to be my co-pilot, but we crashed in the mountains and I had to eat him.
So they have one poor soul doing 5 peoples' IT jobs. *sigh*
Amen to that, brother. The vendors use NTs ease of use (shallow learning curve) as a big selling point, so that the PHBs think they can have one schmuck for network, phone/voice-mail, and desktop support, regardless of how users there are, or what their skill level is. Not that I'm bitter or anything...
"Bugger this, I want a better world." - Jenny Sparks
What does that help?
You can use md5sum to check whether your file got corrupted over the wire.
But that does not verify the identity of the site you are downloading from.
A popular solutions of this is asymetric encryption via pgp/gpg or the host-key of ssh.
--
Post tenebras lux. Post fenestras tux.
Would this be the sort of thing that can be used to say that Microsoft's monopoly has had a detrimental, harmful effect on the consumer? The only reason why I'm wondering is because even though Microsoft might have all our base in the home desktop market, it's not quite that cut and dry in the information server market. There are more options available, and consumers aren't locked down to a specific set up (popular *nix variants to an IIS, MSSQL and NT are available).
Just wondering.
This sig is for sale
--------
Bleah! Heh heh heh... BLEAH BLEAH!!! Ha ha ha ha...
YaST, Update System. Point your box at one of the German ftp servers, and sit back and watch the pretty lines go across your screen. I've get around to playing with Debian one day, but for now I am happy as can be with my SuSE boxen :)
Need a Linux consultant in New Orleans?
Does anyone else here think that unix (as compared to win/mac) provides a feeling of a virtual space, which induces an emotional attachment that makes us better (or more involved) users?
Not that our Un*x boxen are inherently any better. We just seem to "care" more about knowing what our servers are actually doing. NT Admins are usually too busy doing everything from installing Service Pack n and cleaning the CEO's mouse to keep on top of what they were expected to be doing in the first place. Or perhaps its also a "s/he who lives by the Install Wizard dies by the Wizard" situation. It's too easy to do a "lazy install" on a Winserver.
I feel sorry for 'em, and hope this scare finally wakes up some of the CEO's who believe their IT shops will run by themselves because Bill Gates' marketeers told them a Windows server is just as service-free as their PC is. So they have one poor soul doing 5 peoples' IT jobs. *sigh*
"I figure you're here 'cause you need some whacko who's willing to stick his finger in the fan. So who are we helping?
===
First of all, WindowsNT lowers the threshold of using 'complex' systems ment for servers. So 'unskilled' sys admins, managing a NT server, are more likely to be clueless when it comes to security/patches/buqtrack/etc.
===
NT systems are a nightmare to administer compared to a linux system. I keep seeing this "lowering the threshold" comment but it's complete BS, administering an NT web server is like a nightmare from hell. It requires two to three times the amount of time and effort to maintain a secure NT web server hosting 400 domains as it does to maintain a secure linux web server hosting 2000 domains.
maru
Alternatively several companies (for example, Discover) have come out with one-time disposable card numbers specifically for online purchasing. It gets billed back to your master account but the retailer can only use it once. Good idea in light of all the idiotic online companies that apparently take absolutely no security precautions.
www.microsoft.com/technet has a link for security bulletins and updates that haven't yet appeared on WindowsUpdate. One of the patches disables WindowsUpdate. It is a security risk itself. The shop I work in has a program called StatOnline that scans workstations and servers and tells you any updates you need to install or configuration changes to make. Curiously some of the updates already have w2ksp2 as part of the title.
heh...i was going to say that, but i didn't feel like getting flamed for being a *nix zealot.
Sysads are responsible (or should be) for the security of their systems. But all sysads aren't created equal. I'm reminded of this statistic:
In spite of the fact that the American F-86 Sabre and the Russian MiG-15 were roughly comparable aircraft, during the Korean War, the Sabres racked up a 10 to 1 kill ratio.
Why? Because the American pilots were better trained and more aggressive than their North Korean and Chinese opponents.
Perhaps because they pretty much have to learn more about how their systems work, Linux admins are in effect better trained, and a bit more aggressive about security than most NT admins.
Read the EFF's Fair Use FAQ
In spite of the fact that the American F-86 Sabre and the Russian MiG-15 were roughly comparable aircraft, during the Korean War, the Sabres racked up a 10 to 1 kill ratio.
Why? Because the American pilots were better trained and more aggressive than their North Korean and Chinese opponents.
Actually, in fighter planes the equipment can make a huge difference (more than the airframe) to the combat performance, and you can bet that these guys were not running anything close to the USSR air force's spec of avionics and weapons.
British Aerospace makes no fewer than 5 major grades of the Tornado fighter, with dozens of variants thereof, and when you hear of them selling planes to Saudi Arabia for their "air force" of princes to fly, it is the bottom grade plane they get with crappy radar and tinkertoy armaments.
Actually, most Linux breaches come from the other stuff distributions contain, not Apache. Apache is wonderfully great about security. Almost as good as the OpenBSD guys. The other Linux packages (ftp anyone?) seem to have more trouble.
Engineering and the Ultimate
I'm a SysAdmin and I work with Linux, Solaris, BSD, and NT/2K. I'm an expensive NT SysAdmin that knows to apply service packs and hotfixes, and have done so since long before Windows Update. Many people prefer to hire a less experienced admin for their NT network becuase they can find them cheaper, and they don't know the difference.
It all comes down to, you get what you pay for in a SysAdmin. Many admins don't know you need to apply these fixes. I've worked for several companies that limited the service packs and fixes that could be applied. When all they allow is Service Pack 3, they get what they deserve.
So...don't blame Microsoft. Blame the companies that don't hire the right people and the clueless admins that don't do their job. We all get busy, but it's time to stop making excuses when you're behind 2 service packs.
Well, if you are considering the Linux Admin culture, it's not just facination with the development process driving people.
Unix culture traditionally has been all that focused on security, as is evidenced by their coding styles and the fact that commercial vendors like Sun would ship ancient versions of key demons like Sendmail. This inattention to security created an opposed subculture dedicated to hacking Unix, which then has forced Unix admins to be very, very security conscious (particularlly because the vendors weren't). If you *know* that there's a 99% chance that you will be hacked, you *will* apply the patches.
Microsoft has always had lots of the same security issues, but until recently there hasn't been a dedicated effort to ferrit this stuff out. A couple years ago, there weren't that many known hacks for IIS, but any particular version of RedHat had rootscripts the day it came out. (Somebody posted a story here once where his Linux box got owned 5 minutes after installation.)
Now, the docs and the scripts are out there for NT, and the opportunity to get hacked has shot through the roof. The admins are slowly catching up to the extent that they have the smarts to do so. But, as with the Unix people, they're probably going to have to learn the hard way (by getting cracked).
--
Business. Numbers. Money. People. Computer World.
One should also consider culture: NT/Win2K comes in plastic, Linux is, in the words of one of yesterday's items, a "continual beta." People check for patches for Linux because the development happens in the open and people assume that they will be updating and patching systems all the time. Managers don't think their people need to do the same for NT/Win2K and plan their workload accordingly. There is no doubt that NT/Win2K administrators are more overworked than their colleagues who do *nix administration. Managers assume that NT admins can administer user accounts, serve as DBAs on six MSSQL DBs, troubleshoot desktop boxes, plan policy, oversee acquisitions, test software, and code small apps. No one would ever say the same for their *nix admins, at least, only a fool would expect to get volumes of quality work from *nix admins so burdened. The trick is that with NT/Win2K, most of the time, one can get away with doing that. Most of the time.
which in my experience, is often wrong.
:)
Well, maybe you should learn before you mess things up then
Seriously though, i have found most admins know enough not to mess with unix...they are scared of it, as they should be. So they find/ask someone that does know what their doing. In my company, we are starting to use linux for some things, so they ask me, or a couple of other people that have the knowledge.
===
Their closed-source and propietory systems extend the time between an exploit being found, and a usable patch being produced. For a classic example, look at the Ping of Death. Linux had a patch out in (exactly) 2 hours, 35 minutes, and 10 seconds. Microsoft took almost a month.
===
The Ping of Death was years ago. Some of the linux distros seem to be getting slower and slower at releasing bugfixes against security issues in a rapid manner whereas MS is getting faster and faster.
maru
I am absolutely sure that if the best way was to use a "asymetric encryption via pgp/gpg or the host-key of ssh." then the debian guys will do it first.
War is necrophilia.
Have you ever heard the saying "Don't put all of your eggs in one basket"?
domc
"Speculation is welcome as to why NT sysadmins don't install service packs for known vulnerabilities..."
NT service packs are a huge pain in the ass. Installing one can break apps (SP 6 and Lotus notes, anyone?), create new security holes, make a (Relatively.) stable system unstable, and more. Often it can be impossible to get approval from management to upgrade like this with no testing. Getting the testing done is a pain because developers are usually more concerned with testing their latest code than worrying about service packs. Sometimes there is just no money for the testing, especially in dotcoms.
What we really need is browsers to come with a warning before anyone submits a sixteen digit number to a form on a server running IIS, warning them how dangerous it is to provide a CC number to a site running a Microsoft product.
This looks like the ultimate karmic opportunity, if anyone thinks posts of the form "All your * are belong to us" are still worth upmods.
--
Sheesh, evil *and* a jerk. -- Jade
As someone who spends a good portion of time dealing with "enterprise" NT systems, there aren't a whole lot of times when one *can* install service packs, do testing, etc. quite often, at least for me, I wait weeks to have a window of opportunity to do whatever it is that I'd like to do.
Now I realize that scheduled downtime and the like is good, and while I work towards achieving that, the reality is that the whole dot-com business space isn't run by seasoned administrators and IT managers. These people aren't always the most clueful with regards to sound information systems practices.
So, to a certain extent, there's two things- people don't always have the time to upgrade NT systems with potentially poor unstable code and then properly test it.
Also, like some other posters have said, there are lots of incompetent sysadmins out there. this falls in line with the whole "new IT infrastructure/startup/low budget/whatever" situation.
Sometimes making shortcuts to try to save money hurts you (or your customers) in the long run. one would like to hope that we'll all learn from this, but my money is against that happening. This isn't the first problem of that sort, nor will it be the last...
EOM
--
This works because you have to understand why you have to reboot: a) because dll's are updated ON DISK which were loaded in memory, so you have to reload them to see the fix get effective (thus reboot, or restart all services) and b) sometimes fixes take place in the system registry (HKLM etc). This is also loaded during boottime (in NT4) and you have to reboot to make several fixes take effect (esp. network related fixes).
So if you apply the fixes in this order: SP6, SP6a (SP6 upgradefix for Compaq machines and others), all Post SP6 hotfixes and THEN reboot, it's ok. You save yourself a lot of time.
Oh, and I do program VB/ASP sometimes, yes I do know a lot about programming AND NT administration. Don't insult people with stupid remarks, it's of no use.
--
Never underestimate the relief of true separation of Religion and State.
Maybe NT seems to be left unpatched so often because there are more machines to patch, and the admins don't have the time or management skills to reach them all? Isn't one of the big selling points of large Unix systems that one system is up to the tasks of four or more NT systems, so you only need to administer one machine, so called service consolidation? I'm sure Sun were advertising this last year, when they were promoting their version of samba.
That should do it for web companies, shouldn't it?
--
Excuse me. Did you say "crash course?" Well, I think you're absolutely right! You see, anybody studying Micro$oft products IS taking a course in crashing!
Micro$oft's sorry excuse for "products" SUCK! Their only real product is their marketing. Why oh why do so many people fall for their bullsh*t?
An Eastern European hacker group has spent the last year systematically exploiting known bugs in IIS to steal customer and credit card info. Read about it at the SANS security site.
Sans Security...heh, what an appropriate title
---
Check in...OK! Check out...OK!
I pledge allegiance to the flag...
of the Corporate States of America...
Systems get broken, hardware fails. That's why there are things like TripWire, MD5 checksums, and... most important of all... Backup Tapes. All of these are important at getting the system back to a previous, assumed "safe" or at least sane position.
Why do these people with $$,$$$,$$$ floating through their sites do stupid things like keeping the numbers in a database? We don't do that where I work, and I'll make sure we never do.
--Mike--
A lot of NT admins do not install the current servicepacks on purpose. If I recall correctly, SP1,SP2 and SP4 for NT 4 were highly unstable and most admins stuck with SP3 even after SP4 because it had been proven stable. I guess that's the tradeoff with Micro$oft, stability or security... but never both. Bud as an added bonus, they'll give you a dozen certified MONKEYs to help you run your box.
This is a problem, OS vendors care for security (I suppose) but the thing is that until now a bad security in an OS doesn't hurt the company: sales are the same wether a big vulnerability is discovered or not.
But also not OS companies have little or no respect for security; sure they have all their "important" papers protected inside lockers, and have security personnel on the company headquarters and security checks, bad they have not that kind of vigilance when it comes to computers and Internet, they don't give importance to that, otherwise how is it possible that most of the attacks are known vulnerabilities. The point of full disclosure is that everybody should know so everybody can prevent but if a company doesn't bother...
We the customers of this companies should have ways to enforce them to take security measures or we should know who can we trust and who we cannot, I don't know how but there should be a way.
To put it short, bad security in a flight company puts them out of bussiness; but security in the internet world leaves things the same.
Theres not much to study, if Microsoft took the initiative and released secure products from the beginning this wouldn't have taken place. Take a quick look at the wonderous task developers at OpenBSD have taken in releasing a secure OS. All this and theirs is a free operating system with the minute amount of resources as MS
Can someone explain the legalities of the FBI getting involved at crimes that occur from European or other places around the world, when they seldomly contend with the issues we have here. What exactly can they do to someone say in the Phillipines which we've found has no laws regarding computing, as was shown with the Melissa virus creator.
I think I would pass based on experience with using anything the government has their hands on. Call it paranoia, but I know how to download my own patches, which I don't have to since I don't use MS products.
Now as to why admins don't install patches, it could stem from a lack of knowledge regarding security, their too busy assessing everything else and are understaffed, or their simply lazu bofh's who think that it hasn't happened to them and probably won't. Bad move. Being in the industry for such a short time, I've seen the attitudes to be "I have a firewall" or "We're a small company so it won't happen." This is what kills me, is that when the sh## hits the fan, many could've avoided the situation by applying a patch that would've taken no time at all.
I understand companies have networks the size of small counties, but I think their workers should take the initiative and secure their networks as a matter or unofficial policy or principal. Otherwise its not a crackers fault (crackers will be crackers) but their own ignorance.
Request for Comments on Script Kiddiots
360 degrees of Karma
I keep a seperate card specifically for online transactions. It has a woefully small credit limit so I'll never be out by more than I can afford.
Xix.
"Everything is adjustable, provided you have the right tools"
Seems IBM has some problemss too.
Anyone who is serious about 24X7, secure operation of thier network will have a lab set up to test later versions of OSes & apps, as well as any security and update patches for the above.
I'll use this as a cluestick to beat the money out of the ones with the purse strings to get a test lab going, now!
"Depression is merely anger without enthusiasm." - Anonymous
I can't apply just the parts of the service packs that fix the holes. I also have to apply the parts that break the applications and/or drivers.
This is a design issue. I've often debugged Linux kernel modules inserting and removing them on a running system without affecting anything else.
It is extremely rare for a fix in one place on an non-microsoft system to have any effect (much less a disabling effect) on unrelated programs.
The incremental patch paradigm works better for mission critical systems, but Microsoft doesn't have that, just service packs and hotfixes.
They are running SP3 because applying anything later will render their system DEAD. If you can't run the application there is no point in having a secured system.
Why should they have to fix their software if they coded to Microsoft APIs using a Microsoft enviroment?
And I do blame the companies. If they hired the right people (or let them do things right) they wouldn't pick an OS where they have monolithic service packs. Their mistake was starting with Microsoft without allowing for recoding for every service pack.
Credit card companies will limit your out-of-pocket liability to $50 for a string of related charges. Your homeowners/renters insurance policy will cover this $50 portion without a deductible, so if you claim it you won't pay a dime. I work for an insurance company ( Travelers ) that offers a policy that covers ANY expenses related to identity theft. They will pay for the cost of ordering your credit reports, hiring a lawyer, etc. if someone steals your CC info or assumes your identity to obtain credit.
I'd rather have a full bottle in front of me than a full frontal lobotomy.
ie: One world, One Operating System, One exploit.
>To all those claiming MS sucks, Linux rules... >Keep in mind that the reason why you don't see >people stealing credit card information off >Linux hosts is because few use Linux for this >purpose. Specifically I'm referring to the data ?>from the Netcraft SSL server report which shows >over 50% of commerce websites run Microsoft, and >only a very small percentage run Linux. Let's take a closer look. First of all, note that you are looking at the statistic only for the US, where Microsoft has much more of a monopoly than in other countries. Look at the statistics for Germany, or Japan, for example, and you will see that more SSL sites use Linux than Windows in those countries. See http://www.netcraft.com/survey/ >If they were all running Linux, the attackers >would be grabbing root instead and sifting to >MySQL databases. Well, I'm not sure about Linux specifically, but it is clear from the data that as of Feb 2001 59.99 of the web servers out there are running Apache. Only 19.63 are running Mircosodt-IIS. It is probably true that more servers that are processing credit card transactions are running Windows. I base this on the statistics from the Netcraft Survey where it says ,"English speaking countries make up the lion's share of secure servers, with around 75% of ecommerce sites registered in the US, UK, Canada, and Australia."
Since the hackers are presumably looking for a combination of weak security and $ to be earned,they are targeting Windows machines that process credit card transactions.
Ofcourse, what is surprising is the fact that the FBI says that these hackers are being extremely successful. Yes, they probably are targeting a disproportionate number of Windows machines. But, simply saying that if they were targeting Linux e-commerce servers, they would get the same results is not logically compelling. Mabey they would. Then again, mabey they wouldn't.
What is clear is that running an e-commerce site using Windows, and not patching your software with the latest security fixes poses a very significant risk to your customers.
Randy.Flood@RHCE2B.COM
The thread is kind of funny.
To all those claiming MS sucks, Linux rules... Keep in mind that the reason why you don't see people stealing credit card information off Linux hosts is because few use Linux for this purpose. Specifically I'm referring to the data from the Netcraft SSL server report which shows over 50% of commerce websites run Microsoft, and only a very small percentage run Linux.
If they were all running Linux, the attackers would be grabbing root instead and sifting to MySQL databases.
Actually the thing that bugs me the most about all of this is why do these websites even store the credit card numbers anyway? Seems like these should be offloaded to an internal machine for processing, not sitting on the public web server.
NOPE, they don't have to notify you. And Yes it's up to you to notice those "funny charges".
... and then with the data, They can advise the host (users) card service provider/bank and have them run a pattern of activity and notify the customer if something seems wrong.
What they should do is notify their CC clearing house which will notify VISA, Mastercard, American Express
Ever get that phone call at 7 pm at your home asking "you have done xyz amount of purchases and were confirming that because of different activity it's you" Happen twice this year (2001) so far and had all my cards switched (yes they do it for free).
Offtopic : Protecting yourself
1) only use 1 or 2 cards that are strictly for on line purchasing.
2) give the CC companies the only approved delivery address home and office ( they will thank you for it )
3) when you think you are scammed, file the claim fast and then cancel the card and have them issue a new one.
4) if you on-line bank, do it only from your home and not your office. There are sysadmins that have keyloggers and other snooping devices.
5) this is important Each $ 1000 of credit = about 200 real cash (fense value) to a thief so keep your credit purchase per transaction limit to 300. this way the CC has to veryify the purchase to the 2 known addresses and phone #'s
I hope this helps
ONEPOINT
spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better
if you see me, smile and say hello.
You may work somewhere big, but you don't know the first thing about SQL server.
Yes, it installs with a blank password by default. However, in over 50 SQL server intstallations, with literally hundreds of MS and third party apps, I have yet to see a single app that has this hardcoded. I would faint at the sight of an app that requires a blank SA password.
You're quite right about SP5, though, and SP2 was similar.
-b
If I wanted a sig I would have filled in that stupid box.
*cough*
*cough*
(I'd say that your gateway being secure is as important, if not more so, that your storefront itself.)